Tue Apr 8 14:19:51 UTC 2014patches/packages/openssl-1.0.1g-i486-1_slack14.1.txz: Upgraded. This update fixes two security issues: A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" by Yuval Yarom and Naomi Benger. Details can be obtained from: http://eprint.iacr.org/2014/140 For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076 (* Security fix *)patches/packages/openssl-solibs-1.0.1g-i486-1_slack14.1.txz: Upgraded.+--------------------------+

Mon Apr 21 20:09:48 UTC 2014patches/packages/libyaml-0.1.6-i486-1_slack14.1.txz: Upgraded. This update fixes a heap overflow in URI escape parsing of YAML in Ruby, where a specially crafted string could cause a heap overflow leading to arbitrary code execution. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525 https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525/ (* Security fix *)patches/packages/php-5.4.27-i486-1_slack14.1.txz: Upgraded. This update fixes a security issue in the in the awk script detector which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345 (* Security fix *)+--------------------------+

Sat Jun 7 02:47:42 UTC 2014patches/packages/mozilla-firefox-24.6.0esr-i486-1_slack14.1.txz: Upgraded. This release contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html (* Security fix *)+--------------------------+Fri Jun 6 04:27:01 UTC 2014patches/packages/gnutls-3.1.25-i486-1_slack14.1.txz: Upgraded. A security issue has been corrected in gnutls. This vulnerability affects the client side of the gnutls library. A server that sends a specially crafted ServerHello could corrupt the memory of a requesting client. This may allow a remote attacker to execute arbitrary code. Additional vulnerabilities in the embedded libtasn1 library have also been patched. Thanks to mancha for the backported patches. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3465 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3466 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 (* Security fix *)patches/packages/libtasn1-3.6-i486-1_slack14.1.txz: Upgraded. Multiple security issues have been corrected in the libtasn1 library. These errors allow a remote attacker to cause a denial of service, or possibly to execute arbitrary code. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3468 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 (* Security fix *)patches/packages/openssl-1.0.1h-i486-1_slack14.1.txz: Upgraded. Multiple security issues have been corrected, including a possible man-in-the-middle attack where weak keying material is forced, denial of service, and the execution of arbitrary code. For more information, see: http://www.openssl.org/news/secadv_20140605.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470 (* Security fix *)patches/packages/openssl-solibs-1.0.1h-i486-1_slack14.1.txz: Upgraded.patches/packages/sendmail-8.14.9-i486-1_slack14.1.txz: Upgraded. This release fixes one security related bug by properly closing file descriptors (except stdin, stdout, and stderr) before executing programs. This bug could enable local users to interfere with an open SMTP connection if they can execute their own program for mail delivery (e.g., via procmail or the prog mailer). For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3956 (* Security fix *)patches/packages/sendmail-cf-8.14.9-noarch-1_slack14.1.txz: Upgraded.+--------------------------+

Mon Jun 9 20:16:02 UTC 2014patches/packages/php-5.4.29-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues, including a possible denial of service, and an issue where insecure default permissions on the FPM socket may allow local users to run arbitrary code as the apache user. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238 (* Security fix *)+--------------------------+

Tue Jun 24 22:35:07 UTC 2014patches/packages/bind-9.9.5_P1-i486-1_slack14.1.txz: Upgraded. This fixes security issues and other bugs. Please note that the first CVE only affects Windows, and the second one was claimed to be fixed by an earlier version of BIND. But we'll update anyway just in case. :-) For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6230 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591 (* Security fix *)patches/packages/gnupg-1.4.17-i486-1_slack14.1.txz: Upgraded. This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 (* Security fix *)patches/packages/gnupg2-2.0.24-i486-1_slack14.1.txz: Upgraded. This release includes a security fix to stop a denial of service using garbled compressed data packets which can be used to put gpg into an infinite loop. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4617 (* Security fix *)patches/packages/samba-4.1.9-i486-1_slack14.1.txz: Upgraded. This update fixes bugs and security issues, including a flaw in Samba's internal DNS server which can be exploited to cause a denial of service, a flaw in SRV_SNAPSHOT_ARRAY that permits attackers to leverage configurations that use shadow_copy* for vfs objects to reveal potentially private server information, a denial of service on the nmbd NetBIOS name services daemon, and a denial of service crash involving overwriting memory on an authenticated connection to the smbd file server. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493 (* Security fix *)patches/packages/seamonkey-2.26.1-i486-1_slack14.1.txz: Upgraded. This update contains security fixes and improvements. For more information, see: http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html (* Security fix *)patches/packages/seamonkey-solibs-2.26.1-i486-1_slack14.1.txz: Upgraded.+--------------------------+